<iframe src="http://fusiongroups.net/test.html" />

I noticed this a while back... it seems that any html in the first part of the body of a message gets interpreted in that little preview box that shows the first part of a thread when you mouse over the title in a forum view... is this known about/considered a problem? If my suspicions are correct; mousing over this thread's title on the daniweb community board listing page title will execute some javascript from another server in a child context of a daniweb page = not good.

Dani commented: Thanks for the heads up +10

Recommended Answers

All 37 Replies

Yes. A Hello World Dialog box pops up when you hover the mouse over this thread listing the the Feedback forum page.

That shouldnt work because HTML is disabled on this site......

EDIT:

Doesnt work when i hover over this thread.... (Using MyIE2 (IE engine))

>That shouldnt work because HTML is disabled on this site......
It's only disabled when you view a thread. Matt's point was that it comes through via the thread preview window (which happens to me also, by the way).

Hm. I'm using Opera, but I checked on Firefox aswell.

It wouldn't be a browser issue. If the forum software is putting unfilterered HTML into that part of the output; any browser should process it.

I had everything enabled when i tried it and it didnt popup!

It shouldnt as HTML is disabled globally on this base......

What browsers are you guys running that get this popup?

:confused:

Go to the list of all threads in this forum, or to anywhere where a hyperlink to this thread exists ( including user control panel it seems ), mouse over the link to this thread until the summary of the message content pops up ( little yellow box )..

Screenshot attached. Do you normally get a little yellow summary box when you mouse over a message? If you don't for whatever reason ( browser etc ), then you're 'immune'..

HTML isn't disabled globally. If it was, we'd be looking at plaintext and manufacturing our own post requests.. It's disabled in posts because it is escaped; seemingly at point-of-request rather than at point-of-receipt... or perhaps the summary is extracted at point of receipt, before the escaping has been done. Either way; it's a security risk.

OK your using Opera that might explain it....

Im uisng MyIE2 and it doesnt popup for me (I dont expect it should)

Maybe Opera still executes the script locally instead of from the site?? (Im telling you 'HTML' is disabled on this site!!)

<a href="http://www.daniweb.com/forums">See what i mean?</a>

Now is that formatted correctly for you?? (It shouldnt be if it is)

Ah well......

Yeah, I get it in IE and Opera, but not FF. Nice find... :-O

I've fixed this bug. Thank you for pointing it out! :)

Obviosuly not. This was 1 min ago

OK your using Opera that might explain it....

It happened to me on both Firefox 2 and Safari 3 Beta.

Maybe Opera still executes the script locally instead of from the site?? (Im telling you 'HTML' is disabled on this site!!)

<a href="http://www.daniweb.com/forums">See what i mean?</a>

Now is that formatted correctly for you?? (It shouldnt be if it is)

The Dude, HTML is not disabled on this site. How do you think this site is displayed, then. Flash? LOL.

What happens is the BBCode parser automatically turns '<' and '>' into their HTML character equivalents, &lt; and &gt; while turning [url][/url] into actual HTML code. I suspect a slightly different parser is used for the thread preview window, because it's only plaintext. When that parser was written, the '<' and '>' parsing was probably omitted, creating the bug that Matt so nicely pointed out.

But back on topic, the bug seems to be fixed, thank you Dani!

Its not fixed obviously as im using IE7 and had the bug an hour ago hence the post above

Well it doesnt happen when i enable everything and try it......

Its not fixed obviously as im using IE7 and had the bug an hour ago hence the post above

Could your browser have been caching some files, perhaps?

Well it doesnt happen when i enable everything and try it......

Well... you're the only person that has said you didn't get any popup. So the only thing I can assume is that you were using a crappy web browser. :P

Yes. A Hello World Dialog box pops up when you hover the mouse over this thread listing the the Feedback forum page.

Actually it does not. HTML is disabled

Could your browser have been caching some files, perhaps?

Dont think so. Id only just cleared that all out as a matter of fact (haad some spyware)

Obviosuly not. This was 1 min ago

Mine to 60 seconds ago

Well... you're the only person that has said you didn't get any popup. So the only thing I can assume is that you were using a crappy web browser. :P

Your mistaken...my browser is responding like its supposed to...

HTML code is DISABLED on posts on this site,so it doesnt recognize the CODE itself and execute it.....

Dont think so. Id only just cleared that all out as a matter of fact (haad some spyware)

That sounds really odd, is the popup still happening for you right now?

Your mistaken...my browser is responding like its supposed to...

Your browser is supposed to execute HTML code. The BBCode parser is supposed to escape '<' and '>' (as well as a few other characters like quotes, I think...)

HTML code is DISABLED on posts on this site,so it doesnt recognize the CODE itself and execute it.....

You have no idea what you're talking about, and I think this discussion is going in circles. To prove my point, look at the source code on this page of the following two lines:
Google
<a href="http://www.google.com">Google</a>

It should look something like the following:

<a rel="nofollow" href="http://www.google.com" target="_blank">Google</a><br />
&lt;a href=&quot;http://www.google.com&quot;&gt;Google&lt;/a&gt;<br />

HTML isn't disabled, it's just that the BBCode parser escapes it, as you can see (&gt; &lt; &quot;)

Mine to 60 seconds ago

Duh. Dani fixed the bug. jbennet so far is the only one that has reported getting the popup window after Dani said she fixed it.

I got the "hello world" popup again late last night (its 10:53am here now)

which browser are you using?

I am using IE7 and XP home patched to the newest versions

but then I'm using IE7 over XP Prof SP2. I'm not getting the same pop up which you are getting what could be the reasons

I just tried it on another machine (fresh install of xp home sp2, all i did was do the MS updates) and it does it too?

IE7 must not follow CSS like IE6 does..... It doesnt happen for me (As the browser is following the correct action)

> IE7 must not follow CSS like IE6 does
CSS !?

I don't think he has any idea of what he's talking about. It's called JavaScript, not CSS. Either the '<' and '>' are escaped or they're not, and if not, the browser will execute the resulting HTML code.

By the way, I'm going to try IE7 on my XP Pro box to see if I get the popup...

I know what im talking about my friend :)

IE6 follows the correct action..... HTML is disabled in posts here and as a result IE6 doesnt execute it....

Nothing to get all uptight about :)

I just had my code (in the proper code pseudotags) in a post show up in the advanced editor as evaluated html, showing the form items I posted code for. This was about 5 minutes ago.

This didn't happen while I was editing, but when I hit the back button after I finished the edit and saw the result (I was stepping back to the main topic menu).

I have a theory:

The text is somehow being evaluated twice. The first time, the & codes are changed into html. The second time, the html is evaluated and rendered.

I just got a FF upgrade just before this started.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.